- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Consider a platform which uses a custom OS which has no mitigation for Spectre/Meltdown - or consider that it is not possible (or simply inconvenient) to apply OS updates to mitigate these issues ...
Will the BIOS updates from Intel completely resolve the current Spectre/Meltdown vulnerabilities on their own?
(or if you apply the BIOS fixes - do you also need OS updates anyway?)
And is there a statement from Intel making this clear?
Thanks for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, absolutely not!
The microcode updates only contain the fix for SpectreB. SpectreA and Meltdown are currently being addressed by O/S workarounds. If it is "inconvenient" to apply the O/S updates, then the machines in question remain vulnerable. This is not something that you want, considering that sample code showing how to take advantage of these vulnerabilities has actually started appearing in places such as GitHub, so I suggest you overcome this "inconvenience".
Yes, there are statements from Intel regarding this. Here are the related links:
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html Facts about The New Security Research Findings and Intel Products
https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr INTEL-SA-00088 Advisory
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf Latest Microcode Update Guidance (01-03-18)
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf Latest Microcode Update Guidance (20-02-18)
...S
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, absolutely not!
The microcode updates only contain the fix for SpectreB. SpectreA and Meltdown are currently being addressed by O/S workarounds. If it is "inconvenient" to apply the O/S updates, then the machines in question remain vulnerable. This is not something that you want, considering that sample code showing how to take advantage of these vulnerabilities has actually started appearing in places such as GitHub, so I suggest you overcome this "inconvenience".
Yes, there are statements from Intel regarding this. Here are the related links:
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html Facts about The New Security Research Findings and Intel Products
https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00088&languageid=en-fr INTEL-SA-00088 Advisory
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf Latest Microcode Update Guidance (01-03-18)
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf Latest Microcode Update Guidance (20-02-18)
...S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Scott -
We were aware that the OS mitigations only address part of the issues and that the BIOS update was still required on some platforms to fully correct SpectreB.
We were uncertain if the converse was true - whether the Intel BIOS fixes addressed the other vulnerabilities on their own.
Sounds like the Intel firmware updates do not fix Meltdown or SpectreA!
Thanks -
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, the converse is NOT true. There is absolutely nothing that the BIOS can do to assist with the SpectreA and/or Meltdown vulnerabilities. All it can do is load the microcode update that provides the fix for the SpectreB vulnerability.
...S
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page